Closed Bug 300349 Opened 20 years ago Closed 20 years ago

Another zlib-1.2.2 buffer overflow

Categories

(Core :: Networking: HTTP, defect)

Product:
Core
Component:
Networking: HTTP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.8beta4

People

(Reporter: glennrp+bmo, Assigned: darin.moz)

Details

(Keywords: crash, Whiteboard: [sg:fix])

Attachments

(1 file)

patch from initial comment
988 bytes, patch
Biesinger
: review+
dveditz
: superreview+
benjamin
: approval1.8b4+
Details | Diff | Splinter Review
While working on bug #299425, the zlib team has discovered another vulnerability. The fix (by Mark Adler) is to change a couple of settings in inftrees.h: --- 36,47 ---- */ /* Maximum size of dynamic tree. The maximum found in a long but non- ! exhaustive search was 1444 code structures (852 for length/literals ! and 592 for distances, the latter actually the result of an exhaustive search). The true maximum is not known, but the value below is more than safe. */ ! #define ENOUGH 2048 ! #define MAXD 592
Flags: blocking1.8b4+
Flags: blocking1.8b3?
Whiteboard: [sg:fix]
Attaching patch from initial comment so we can attach appropriate flags
Attachment #188933 - Flags: superreview+
Attachment #188933 - Flags: review?(cbiesinger)
Attachment #188933 - Flags: approval1.8b4?
Attachment #188933 - Flags: approval1.8b3?
Is this exploitable?
Comment on attachment 188933 [details] [diff] [review] patch from initial comment rs=me, I guess. I don't know this code at all.
Attachment #188933 - Flags: review?(cbiesinger) → review+
Re: comment #2 Mark Adler seems to be more concerned about this one than the previous, probably because it's easier to understand. The team has a demo file that crashes zlib but aren't distributing it right now.
Like the previous bug, this one was apparently introduced in zlib-1.2.0 and does not affect version 1.1.4.
Whoops, the cross reference in my original comment is incorrect. It should say bug #299445. Sorry.
Flags: blocking1.8b3? → blocking1.8b3-
Attachment #188933 - Flags: approval1.8b4?
Attachment #188933 - Flags: approval1.8b4+
Attachment #188933 - Flags: approval1.8b3?
Zlib developers have released zlib-1.2.3 which includes the fix for this and the other recent security bug. At this point we probably should upgrade to 1.2.3 instead of patching the bug. See zlib.net/zlib-1.2.3.tar.gz. Here is the announcement from Mark Adler: All, Thank you very much for your testing. zlib 1.2.3 is available here: http://zlib.net/zlib-1.2.3.tar.gz This is the final version. I would appreciate it if someone could generate zip and dll versions with the same conventions used for the previous release. Thanks. mark MD5(zlib-1.2.3.tar.gz)= debc62758716a169df9f62e6ab2bc634 SHA1(zlib-1.2.3.tar.gz)= 60faeaaf250642db5c0ea36cd6dcc9f99c8f3902 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQBC27A4eD/Njli8r7oRAkknAKDT33PcLS0aTOAK1BhZSmqXUy0LmwCfTQdU WGxs9D/VFnlBbRkM4KQY6X8= =cu2V -----END PGP SIGNATURE-----
I will upgrade mozilla/security/nss/cmd/zlib to zlib 1.2.3 (bug 301212).
Now that zlib-1.2.3 has been released this can be public. Removing security-sensitivity flag.
Someone empowered to do so, please clear the security-sensitive flag.
Zlib-1.2.3 has been released and has been published on the zlib web site, http://www.zlib.net . See bug #301646 for a patch to upgrade modules/zlib
Group: security
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla1.8beta4
fixed-on-trunk
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
No longer depends on: 301646
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: